TRACIO is a client-server identification system. The client collects browser signals and sends them to the server, which computes a stable visitor identifier, runs detection algorithms, and returns enriched results. This section explains each stage of the pipeline.
Browser TRACIO Cloud | | |-- Tracio.init({ publicKey }) ---------> | (init, no network) | | |-- tracio.getResult() ----------------> | | 1. Collect 146 browser signals | | 2. Encrypt (XOR + deflate + B64) | | 3. POST to ingress endpoint | | | | |-- Decrypt & extract signals | |-- Compute visitor ID (MurmurHash3-128) | |-- Run bot detection (14 detectors) | |-- Run smart signals (24 enrichments) | |-- Run IP intelligence (VPN/proxy/Tor) | |-- Store visit event | | |<-- JSON response ------------------- | | visitorId, confidence, | | bot detection, smart signals | | | |-- Store visitor cookie (_tcid) -----> | (365-day persistence)When tracio.getResult() is called, the client collects 130+ distinct browser signals organized into tiers. Collection uses a multi-phase pipeline with Web Workers and shared iframes for performance.
| Category | Signal Count | Examples |
|---|---|---|
| Canvas & WebGL | 9 | Canvas fingerprint, WebGL renderer, WebGL parameters, WebGPU |
| Audio | 3 | AudioContext fingerprint, base latency, DRM timing |
| Fonts & Rendering | 10 | Font detection, font preferences, MathML, emoji rendering |
| Navigator & Platform | 25 | User-Agent, languages, screen, hardware concurrency, timezone |
| Storage & Cookies | 10 | localStorage, sessionStorage, cookies, storage quota |
| CSS & Media Queries | 10 | Color scheme, HDR, reduced motion, forced colors |
| Network & WebRTC | 3 | TURN probe, connection RTT, app version |
| Bot Detection | 15 | Webdriver flag, automation frameworks, eval length |
| Tamper Detection | 8 | Property getter introspection, prototype chains, native function integrity |
| Custom Extensions | 14 | Math fingerprint, architecture detection, WASM features |
The collection pipeline runs in four stages to minimize main thread blocking:
Stage 1 (Immediate): High-priority signals that are fast to collect (navigator properties, screen, timezone). The TURN probe also starts here as it runs concurrently.
Stage 2 (Idle Callback): Synchronous signals that benefit from an idle period (CSS media queries, storage probes, cookie tests).
Stage 3 (Async): Signals requiring asynchronous APIs or rendering (canvas, WebGL, audio fingerprint, font detection, emoji rendering).
Web Worker: Isolated signal collection in a dedicated thread (WASM feature detection, doNotTrack).
A shared hidden iframe is created once and reused by multiple collectors (emoji, MathML, system colors, fonts, screen frame) to avoid the overhead of creating separate iframes per signal.
Every signal follows a consistent structure:
interface Signal<T> { s: number // Status code v: T // Value (when successful)}Status codes:
| Code | Meaning |
|---|---|
0 | Success |
-1 | Not available (property undefined) |
-2 | Secondary check failed |
-3 | Unexpected behavior |
-4 | Timeout |
-5 | Disabled |
-6 | CSP blocked |
-7 | Security error |
Collected signals are serialized to JSON, then encrypted and compressed before transmission:
JSON serialization: All signal values are packed into a JSON object with keys s1 through s212 plus metadata fields (c for API key, t for tag, lid for linked ID).
Compression: If the payload exceeds 1024 bytes, it is compressed using CompressionStream("deflate-raw").
XOR Encryption: The payload is wrapped in an encryption envelope:
Base64 encoding: The encrypted payload is Base64url-encoded and sent as the POST body.
The request is sent to the ingress endpoint with query parameters for client version and API key. CORS credentials are included to send first-party cookies.
The server receives the encrypted payload and processes it through several subsystems:
The server decodes the XOR envelope, decompresses if needed, and parses the JSON signal data. Each signal's status code and value are extracted and validated.
The visitor ID is computed using a tiered hashing approach (V3):
Tier 1 (Frozen): 20 base62 characters - Stable hardware signals that rarely change - Canvas, WebGL renderer, audio fingerprint, fonts - Provides long-term visitor identity
Tier 2 (Semi-stable): 10 base62 characters - Signals that change with browser updates - User-Agent data, Client Hints, plugins - Extensible without breaking Tier 1
Tier 3 (Volatile): 10 base62 characters - Signals that change frequently - Screen resolution, timezone, language - Used for confidence scoring, not identityEach tier extracts its designated signals, builds a canonical string, and hashes it with MurmurHash3-x64-128. The three tier hashes are concatenated and encoded in base62 to produce the final visitor ID.
The confidence score (0.0 to 1.0) indicates how certain the system is that this visitor has been correctly identified:
_tcid cookie matches, confidence is maximum.The bot detection engine runs 14 independent detectors in priority order:
24 server-side enrichment signals are computed from the raw signal data, IP intelligence, and behavioral analysis. These include VPN detection, proxy classification, Tor identification, IP geolocation, browser tampering analysis, incognito detection, and suspect scoring.
The IP intelligence subsystem provides:
The server returns a JSON response containing:
{ "visitorId": "X7fh2Hg9LkMn3pQr", "bot": { "detected": false, "confidence": 2, "reasons": [] }}This is the result tracio.getResult() resolves to in the browser. The
full, enriched event — including the canonical bot_result
(human / bot / uncertain), geolocation, and smart signals — is
available server-side through the Server API and
webhooks.
The client stores a visitor token in both a first-party cookie (365-day expiry, SameSite=Lax) and localStorage for persistence across sessions.
| Step | Location | Duration | Description |
|---|---|---|---|
| 1 | Browser | ~5ms | Initialize agent, create shared iframe |
| 2 | Browser | ~50-150ms | Collect 130+ signals (parallel, multi-phase) |
| 3 | Browser | ~5ms | Encrypt and compress payload |
| 4 | Network | ~10-50ms | POST to server |
| 5 | Server | ~5-20ms | Decrypt, extract signals, compute visitor ID |
| 6 | Server | ~5-15ms | Run bot detection and smart signals |
| 7 | Server | ~5ms | Build response |
| 8 | Network | ~10-50ms | Return JSON response |
| 9 | Browser | ~1ms | Store visitor cookie |
Total round-trip: Typically 80-300ms depending on network conditions and browser capabilities.